Running Android in a Container How the play store runs on Chrome OS
How Android Runs On Chrome OS Chrome Graphics Buffer (Prime FD) Android IPC IPC Chrome IPC Binder System Bridge Bridge (*/init*) Input Events network config, GL, audio buffers screen-on locks Network traffic, File I/O, Binder, etc CROS systems service (CRAS, powerd, Shill) Chrome OS Linux Kernel
Android Containerization • Namespaces • Device Access • File System • Input • Audio/Video/Graphics • Network
PID Namespace • Allows Android’s init to be PID 1 Chrome OS Android Container cros# pstree -ap andoid# ps init,1 USER PID PPID NAME | ... <snip> ... root 1 0 /init |-minijail0,4514 -u cras -g cras -G -- /usr/bin/cras shell 40 1 /sbin/adbd | `-cras,4865,cras keystore 37 1 /system/bin/keystore | ... <snip> ... media 35 1 /system/bin/mediaserver |-session_manager,1744 system 17 1 /system/bin/servicemanager | |-chrome,1811,chronos system 18 1 /system/bin/surfaceflinger | | |-chrome,2372 ... <snip> ... | | … <snip> ... | `-init,6057,android-root --second-stage | |-adbd,6143,657360 --root_seclabel=u:r:su:s0 | | `-{adbd},6144 | |-keystore,6140,656377 /data/misc/keystore | |-mediaserver,6138,656373 | | |-{mediaserver},6167 | | ... <snip> ... | |-servicemanager,6117,656360 | |-surfaceflinger,6118,656360 | | |-{surfaceflinger},6125 | ... <snip> ...
User Namespace • Allows Android to believe it is running as root • Android actually runs as UID=655360 • Clone flag CLONE_NEWUSER • Allows mounting of certain file systems
Mount Namespace • Gives Android its own view of system mounts • Pivot root to new location that Android sees as root • Really a squash FS filesystem image • Android can modify this mount namespace
Net Namespace • Isolates Android network interfaces • Give Android one bridged interface “arc0” • Network configuration is handled outside the container by shill arc0 veth_android 192.168.254.2 (no IP) Android container br0 192.168.254.1 NAT iptables –j MASQUERADE wlan0 eth1 tun0 LAN wifi LAN wired VPN Chrome OS host (init.ns)
cgroup Namespace cros# tree /sys/fs/cgroup/cpu/ |-- <control files, e.g. cpu.shares> |-- session_manager_containers } | |-- android | | |-- bg_non_interactive | | | |-- <control files, e.g. cpu.shares> Android owned | | | `-- tasks | | |-- <control files, e.g. cpu.shares> | | `-- tasks | |-- <control files, e.g. cpu.shares> | `-- tasks |-- tasks android# tree /dev/cpuctl |-- bg_non_interactive | |-- <control files, e.g. cpu.shares> | `-- tasks |-- <control files, e.g. cpu.shares> `-- tasks
Speed Boot Time Android Startup Chrome App Performance Performance
Security • Maintain Chrome OS security story • Verity, root of trust • Updates • Cgroups • Android Device Node Access • Alt-syscall • SELinux
Recommend
More recommend
